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Abstract. Existential fixed point logic (EFPL) is a natural fit for some 
appfications, and the purpose of this talk is to attract attention to EFPL. 
The logic is also interesting in its own right as it has attractive properties. 
One of those properties is rather unusual: truth of formulas can be defined 
(given appropriate syntactic apparatus) in the logic. We mentioned that 
property elsewhere, and we use this opportunity to provide the proof. 



Believe those who are seeking the truth. Doubt those who find it. 

— Andre Gide 

1 Introduction 

First-order logic lacks induction but first-order formulas can be used to define 
the steps of an induction. Consider a first-order (also called elementary) formula 
^p{P, xi, . . . , Xj) where a j-ary relation P has only positive occurrences. The for- 
mula may contain additional individual variables, relation symbols, and function 
symbols. In every structure whose vocabulary is that of minus the symbol P 
and where the additional individual variables are assigned particular values, we 
have an operator 

r{P) = {x : <p{P,x)}. 

A relation P is a closed point of P if r{P) C P, and P is a fixed point of P 
if P{P) = P. Since P has only positive occurrences in (p{P,x), the operator is 
monotone: if P C Q then P(P) C P{Q). By the Knaster-Tarski Theorem, P has 
a least fixed point P* which is also the least closed point of P [20] . 

There is a standard way to construct P* from the empty set by iterating 
the operator P. Let P° = 0, P"+i = P(P") and P^ = Ua<A if A is a limit 
ordinal. There is an ordinal a such that P" = P"+i = P*. The least such ordinal 
a is the closure ordinal of the iteration. Such elementary inductions have been 
extensively studied in logic [17, 1]. 

Notice that we have not really used the fact that f{P, x) is first-order. One 
property of (p{P,x) that we used was that (p{P,x) is monotone in P, that is 
that, in every structure of the appropriate vocabulary with fixed values for the 
additional individual variables, P is a monotone operator. <p(P, x) could be e.g. 
a second-order formula monotone in P. 



The least fixed point P* can be denoted LFPp_jiy9(P, x) and viewed as a j-ary 
relation, so that [LFPp_2</j(P, x)](yi, . . . , yj) functions semantically as a formula. 
This observation gives rise to an idea to use LFP as a new formula constructor, 
in addition to propositional connectives and quantifiers. Aho and UUman [2] 
indeed suggested to enrich first-order logic with the LFP constructor. The new 
logic became known as FOL+LFP. 

Model checking is polynomial time for any FOL+LFP formula ^. In other 
words, it can be checked in time polynomial in the size of a finite structure 
X of the vocabulary of tjj whether X with some values for the free individual 
variables of -0 is a model of ip. Immerman [16] and Vardi [21] proved that, 
over ordered finite structures, the converse is true: every property that model 
checks in polynomial time is expressible in FOL+LFP. In that sense, FOL+LFP 
captures polynomial time. 

Existential fixed point logic (EFPL) is essentially an extension of the exis- 
tential fragment of first-order logic with the LFP construct. It docs not have 
the universal quantifier and lacks means to simulate universal quantification; 
see the definition of EFPL in the next section. As far as we know, it was first 
introduced — in a different guise — by Chandra and Harel [10] in the context 
of database theory where vocabularies are relational, that is, consist of relation 
symbols and constants and do not have function symbols of positive arity. Chan- 
dra and Harel observed that relational EFPL is equi-expressive with Datalog, a 
popular database query language. 

Existential fixed point logic (EFPL) was further developed by the present 
authors in [7]; see Section 3. The motivation came from program verification. 
We noticed that EFPL was appropriate for formulating pre- and post-conditions 
in Hoare's logic of asserted programs [15]. In particular, the heavy expressivity 
hypothesis needed for Cook's completeness theorem [12] in the context of first- 
order logic is automatically satisfied in the context of EFPL. 

More recent developments include a deductive system for EFPL introduced 
by Compton [11] and a normal form for EFPL formulas discovered by Grohe [13], 
who also studied connections between EFPL and other logics. One of the present 
authors found connections with topos theory and showed that these connections 
imply some of the other, previously known, nice properties of EFPL [6, 5]. The 
other of the present authors, together with Neeman, applied a logic equivalent 
to EFPL, called liberal Datalog, to develop a powerful authorization language 
[14]; the equivalence between liberal Datalog and EFPL is shown in detail in [9]. 

In this note, we recall the definition and known properties of EFPL. and then 
we prove that the truth definition of EFPL formulas can be given in EFPL. 



Remark 1 Nikolaj Bj0rner [4] observed that writing a truth definition for EFPL 
in EFPL is related to writing an interpreter for EFPL in EFPL. Indeed. But the 
interesting issue is out of scope here, in this paper, and will have to be addressed 
elsewhere. 



2 Existential fixed-point logic: Definition 

As indicated in the introduction, existential fixed-point logic differs from first- 
order logic in two respects, the absence of the universal quantifier and the pres- 
ence of the least-fixed-point operator. Both of these deserve some clarification. 

First we define existential logic EL. Notice that mere removal of the universal 
quantifier V has no real effect on first-order logic, since Mxtp can be expressed 
as Sx -^(p. To correctly define the existential fragment of first-order logic, one 
must prevent such surreptitious reintroduction of the universal quantifier. A 
traditional way to do that is to insist that all formulas have the prenex existential 
form 3xi . . . 3xnip{xi, . . . , Xn) where ip is quantifier-free. 

But there is an alternative and more convenient form of the existential frag- 
ment proposed in [7]: Allow as propositional connectives only conjunction, dis- 
junction, and negation; use only the existential quantifier; and apply negation 
only to atomic formulas. It is easy to see that every formula in this alterna- 
tive fragment is equivalent to one in prenex existential form, and the other way 
round. 

With an eye on the forthcoming introduction of recursion, we stipulate that 
all relation symbols are divided into two categories: negatable and positive. And 
we restrict further the use of negation in the alternative existential fragment of 
first-order logic: negation can be applied only to atomic formulas with negat- 
able relation symbols. The resulting fragment of first-order logic will be called 
existential logic and denoted EL. 

Now we extend existential logic by adding a new formula constructor. As 
usual, formulas are built by induction from atomic formulas by means of for- 
mula constructors. In the case of EFPL, the formula constructors are those of 
existential logic — the three propositional connectives and the existential quan- 
tifier — and one additional LET-THEN constructor that is used to construct 
induction assertions. We explain how the new constructor works. 

Let J- be the collection of formulas constructed so far. A logic rule has the 
form P{xi, . . . ,Xj) <— S{P, xi, . . . , xj) where P is a positive relation symbol of 
arity j, the Xi's are distinct variables and S is any formula in We wrote S as 
d{P, xi, . . . , Xj) to emphasize that it is allowed to contain the relation symbol 
P and the individual variables xi, . . . ,Xj, but it may also contain additional 
individual variables, relation symbols, and function symbols. P is the head symbol 
of the rule and S is its body. Note that the arrow <— in a logic rule is not the 
(reverse) implication connective but a special symbol whose only use, in our 
syntax, is in forming logic rules. A logic program is a finite collection of logic 
rules. (To write a program as text, one needs to order its rules, but the choice of 
ordering will never matter.) To be compatible with [7], we require that different 
rules have different head symbols; we could remove this restriction. If 77 is a 
program and ip is a formula in J- then 

LET n THEN tp 

is an EFPL formula, an induction assertion. If P{xi, . . . , Xj) <— 5 is a rule in 7J 
then all occurrences of the variables xi, . . . , Xj in the rule are bound occurrences 



in the induction assertion. And P is a bound relation variable in the induction 
assertion. 

In general, an occurrence of an individual variable w in a formula ip is 
bound if it belongs to a subformula of the form 3v a or to a rule of the form 
P(. . . , z;, . . .) ^ (5; otherwise the occurrence is free. The free individual variables 
of Ip are those with free occurrences in tp. An occurrence of relation symbol P 
in -0 is bound if it belongs to subformula LET II THEN ip oi ip and P is a head 
symbol of 77; otherwise the occurrence is free. The vocabulary of -0 consists of 
all the function symbols in and all relation symbols with free occurrences in 
0. 

It remains to define the semantics of the induction assertion tjj = LET 77 
THEN ip. To simplify the exposition, we presume that the program 7T consists 
of two rules, P{xi, . . . , Xj) <— a and Q{yi, . . . , yk) ^ P- In every structure of 
the vocabulary of ip with fixed values for the free individual variables of ip, the 
program gives rise to an operator 

P(P,Q)^({5;: a},{y: f3}). 

Since P and Q are positive relation symbols, P is monotone and thus has a least 
fixed point {P*,Q*). To evaluate ip, evaluate (p using P* and Q* as the values 
of relations P and Q. 

3 EFPL: Some properties 

We describe some properties of EFPL. The default reference is [7]. 
Capturing polynomial time 

EFPL captures polynomial time computability over structures of the form 
{0, 1, . . . ,n} with (at least) the successor relation and names for the endpoints. 
In contrast to the corresponding result for FOL+LFP mentioned above, we use 
the successor relation here rather than the ordering relation <. In fact, both 
proofs depend on the successor relation rather than the order, but in FOL one 
can define successor in terms of order (but not vice versa) , whereas in EFPL one 
can define order in terms of successor (but not vice versa). 

Validity is r.e. complete 

The set of logically valid EFPL formulas is recursively enumerable (in short r.e.). 
Furthermore, every r.e. set reduces, by means of a recursive function, to the set 
of valid EFPL formulas. Thus the set of valid EFPL formulas is a complete r.e. 
set. 

Satisfiability is r.e. complete 

The set of satisfiablc EFPL formulas is a complete r.e. set. 



Finite validity is co-r.e. complete 



The set of EFPL formulas that hold in all finite structures is a complete co-r.e. 
set. In other words, the set of EFPL formulas V' such that -0 fails in some finite 
structure is a complete r.e. set. 

Finite model property 

When an EFPL formula 4> is satisfied in a structure X, this fact depends on only 
a finite part of the structure X . More precisely, there is a finite subset D of the 
elements of X such that -0 is satisfied in every structure X' of the vocabulary 
of X that coincides with X ox\ D. Note that X' can be always chosen to be 
finite. If we allow basic functions of a structure to be partial, then the property 
in question can be formulated in a particularly simple way: If an EFPL formula 
is satisfied in a structure then it is satisfied in a finite substructure. 

No transfinite induction is needed 

The closure ordinal of any monotone induction 

P^{i:(p(P,x)}, 

where is EFPL is at most lo, the first infinite ordinal. The definition of the 
closure ordinal generalizes in a straightforward way to simultaneous monotone 
induction. The closure ordinal of the induction given by any logic program is at 
most Lo. 

Truth is preserved by homomorphisms 

Truth of EFPL formulas is preserved by homomorphisms. Here a homomorphism 
is a function h from one structure to another such that 

— h commutes with (the interpretations of) function symbols, 

— P(ai, . . . , Oj) implies P{hai, . . . , haj) 

for every positive relation symbol P of any arity j, and 

— P(ai, . . . , Cj) if and only if P{hai, . . . , haj) 

for every negatable relation symbol P of any arity j. 

EFPL n FOL C EL 

If an EFPL formula ip is expressible in first-order logic then ip is equivalent to 
an existential formula. Only a limited form of this result survives in finite model 
theory. If an EFPL formula (f without function symbols and without negations 
is equivalent, on finite structures, to a first-order formula, then ip is equivalent, 
on finite structures, to an existential formula without negations [3, 18]. This fails 
even if ip has no function symbols and only the equality relation is negatable [3, 
Section 10]. 



4 Prerequisites for truth 



Our objective in the rest of the article is to show that EFPL can formahze its 
own truth definition. That is, we shall define, in EFPL with suitable vocabulary, 
truth of EFPL sentences (that is formulas with no free variables) of the same 
vocabulary. We use the term predicate to mean a relation symbol or a relation 
depending on the context. 

Since sentences are built from subformulas that may have free variables, we 
shall actually define the slightly more general concept of satisfaction of formulas 
by assignments of values to the free variables. The need to define the more general 
notion of satisfaction of formulas in order to obtain truth for sentences is familiar 
from first-order logic. A new complication, of the same general nature, arises 
in EFPL. The bound predicates of a sentence are free in some subformulas of 
(p. We should define satisfaction of (/3 in a structure whose vocabulary docs not 
include those predicates. But the definition will pass through subformulas of 
whose satisfaction will depend on the interpretations of those predicates. As a 
result, we need to define satisfaction of (/S in a context that includes not only 
a structure (for the vocabulary of ip) and an assignment of values to the free 
variables of tp (as in FOL) but also the logic rules that provide the meaning of 
all other predicates that occur in iy9 — or that occur in the bodies of those rules. 

Let T be a vocabulary and X a structure of vocabulary T . Any predicate that 
does not occur in T will be called an extra predicate. We shall define satisfaction 
in X for T- formulas. Requirements will be imposed shortly on T and X , but for 
now T is just some vocabulary and X some T-structure. We intend to define, in 
EFPL, a ternary predicate Sat such that, when 

— the value of its first argument is a formula (y3, of vocabulary T plus (possibly) 
some extra predicates, 

— the value of its second argument is a logic program U whose head predicates 
include all extra predicates that occur in Lp or iT, and 

— the value of its third argument is an assignment s of elements of X to (at 
least) all individual variables that are free in or in 7J, 

then the truth value of Sat((/3, iJ, s) in X is the same as the truth value, in A", of ip 
with values for its variables given by s and with the extra predicates interpreted 
by the least fixed point of (the monotone operator defined by) iJ. 

Furthermore, we do not intend to use any clever tricks in our definition of 
Sat. It will be a formalization of the explanation given above (and in [7]) of 
the meaning of EFPL formulas. The point of this work is to show that this 
formalization can be carried out in EFPL itself. 

^ A few authors, notably Shoenfield [19], define truth directly. To do so, they expand 
the vocabulary by adding constants for all elements of the structure under consid- 
eration, and instead of assigning values to variables they substitute constants for 
variables. We could have used this approach for EFPL, but we chose to parallel the 
more widely used approach in FOL, via satisfaction. 



For all this to make sense, the structure X must contain the formulas ip of 
EFPL, the logic programs 77, and the assignments s. Furthermore, the vocabu- 
lary must be adequate to express the basic syntactic properties of formulas and 
to allow basic constructions of assignments, rules, and programs. We do not, 
however, wish to specify the exact syntactic nature of formulas — for example, 
are they sequences of symbols, or arc they parse trees, or are they Godcl num- 
bers? Our work is independent of such details. So we shall merely assume that 
certain notions (e.g., the operation of forming the conjunction of two formulas) 
are expressible; the details of how they are expressed (and which notions are 
primitive and which are derived) are irrelevant.^ 

In the rest of this section, we list what we require of our vocabulary T and 
structure X, occasionally adding some comments about the reasons for particular 
requirements. 

T should be finite. The reason is that the definition of satisfaction must, in 
the clauses for atomic formulas, use all the relation and function symbols of T. 

The equality predicate should be negatable. The reason is that the notion of 
EFPL formula requires some things to be distinct, for example the variables in 
the head of a rule and the head symbols of different rules in a program. 

X should contain a copy N of the natural numbers, and T should have a 
constant symbol for and a unary function symbol S for successor. N itself, as 
a unary relation, is definable: 

N(x) :ee let N{z) ^ z = V 3y {N{y) Az = S{y)) THEN N{x). 

We could also define addition and multiplication as ternary relations, and the 
ordering, and similarly for other primitive recursive functions and relations. 

We need N primarily to index elements of lists, for example the list of terms 
that serves as the arguments of a relation or function symbol. Since T is finite, 
we could handle the argument lists of its own relation and function symbols in an 
ad hoc manner, without a general notion of natural number or of list. But EFPL 
imposes no bound on the arities of the head symbols of logic rules, so atomic 
formulas can involve arbitrarily long argument lists, and natural numbers are 
needed for treating these. 

Although EFPL does not allow universal quantification in general, it can 
simulate universal quantification over finite initial segments of N, as shown by 
the following lemma from [7] . 

Lemma 2 For any EFPL formula (p{x), there is an EFPL formula ^{y) equiv- 
alent, for all y G N, to (V.T < y) (p{x). 

Proof. The most natural choice of ipiy) describes a search from up to y: 
LET A'(x) ^ X = V 3w{x^S{w) A K{w) A Lp{w)) THEN i4:(y). □ 



* We shall occasionally indicate how certain notions can be defined from others in 
EFPL. Those indications can help to reduce the assumptions needed about T. 



Convention 3 Consider tlie definition of N exhibited above, and notice that its 
essential content is contained in the rule 

N{z)^z = OV 3y{N{y)Az^S{y)), 

which makes the bound predicate symbol N denote the set of natural numbers. 
The rest of the definition, 

N(a;) := LET . . . THEN N{x), 

merely transfers this denotation to the defined notation N. Instead of introducing 
a bound predicate variable N to, in effect, duplicate the desired predicate N, we 
could convey the same information by writing 

N{z) z = V 3?/ {N{y) Az = S{y)). 

Although this is not an EFPL formula, we adopt the convention that it is to 
serve as an abbreviation of the definition of N displayed earlier. In general, when 
we write a rule with a colon before the <— , it is to be interpreted as defining a 
formula. Thus, 

P(x) :^ <5(P,x) 
means that P(a;) is defined as the formula 

LET Q{z) ^ S{Q, z) THEN Q{x). 

Convention 4 Later, we shall also need to deal with definitions of this sort 
in which the body (5 is a disjunction of many subformulas. For example, our 
ultimate goal, the definition of Sat, will have several disjuncts, covering the 
different syntactic constructs of EFPL. In such cases, it is convenient to present 
one disjunct (or a small number of them) at a time. Thus, for a small example, 
the definition of N above could be broken into two parts: 

N(z);^z = 

N(z);^3y(N(2/)Az = ^(2/)). 

We use a semicolon before ^ (instead of a colon) to indicate that the full def- 
inition involves more disjuncts. (This use of a semicolon as a partial colon is 
suggested by the word "semicolon.") In general, if we write several semicolon 
definitions P(a;);^ Si for the same P{x), then they are to be understood as 
meaning P(a;) \/j Si. 

Returning to the requirements on X and T, we require X to contain the 
variables and the assignments. The latter are finite partial functions from the 
variables into (the universe of) X. T should define a predicate Vbl for the set of 
variables, a constant symbol for the empty assignment, and a ternary function 
symbol Modify for the function defined as follows: Given an assignment s, a 
variable v, and an element a of X, Modify(s, v, a) is the assignment t that sends 
V to a and otherwise agrees with s (whether or not a is in the domain of s). 



Convention 5 Here and in wliat follows, we use the terminology "T should 
define a predicate for" some relation on X to mean that there should be an 
EFPL formula in vocabulary T whose truth set in X is the desired relation. Of 
course, the easiest way to arrange this would be for the given relation to be one 
of the basic relations of X, so that the required EFPL formula would be atomic. 
But it will never matter whether the formula is atomic or not. 

Similarly, when we ask that T should have certain function symbols, wc could 
weaken that to require only some terms, possibly involving nesting of function 
symbols, and our proofs would be unchanged. 



We also need to express "s is an assignment," "v is in the domain of s," and 
"s(?;) = a," but we need not assume these separately, as they are definable from 
and Modify. They are given, using our conventions above and the familiar 
convention of (existentially) quantifying several variables at once, by 

Assgt(s); ^ s = 

Assgt(s) ; ^3t,v,a (Assgt(i) A Vbl(u) A s = Modify(t, v,a)) 
V inDom s 3t, a [s ~ Modify(t, w, a)). 
s{v) ^a:^3t {s = Modify(<, v, a)) 

Note that here s{v) = a is defined as a ternary relation, not as an instance of 
equality. 

We shall also need to have, among the elements of X, the relation and func- 
tion symbols of T as well as the extra predicates available as head symbols of 
rules. Each relation symbol P or function symbol / of Y, should be denoted by 
a closed term P or / of T. (We remain flexible as to what the symbols of T 
should be. For example, they could be Godel numbers, and then their names P 
and / could be terms of the form SS . . . S{0). But there are many other options, 
and all will work. Note, however, that we cannot take all the /'s to be simple 
constant symbols, as they would then be among the /'s, and there would not be 
enough room in a finite T for all of these names to have names.) 

The extra predicates available as head symbols of rules should have specified 
numbers of arguments. That is, there should be an T-definable predicate Arity 
such that Arity(a, n) holds in X (for elements a,n G X) if and only if a is one of 
these head predicate symbols and G N is the number of its argument places. 

As mentioned earlier, we shall need lists, so we require that X contain all 
lists (i.e., finite sequences) of elements of X. The vocabulary T should contain at 
least the constant Nil, denoting the empty list, and the binary function symbol 
Append, for the function that lengthens a list by adding one element at the end. 
Thus, for example, 



(a, 6, c) = Append (Append (Append (Nil, a), b), c). 



Other predicates and functions that we shall need for dealing with lists can be 
defined in terms of Nil and Append. 



List(/) 
List(/) 
I hasLength n 
I hasLcngth n 

(Oi = « 

Cat(a, b, I) 
Cat(a, b, I) 



I = Nil 

3x, a (List(.T) A I = Append(a;, a)) 
/ = Nil A n = 

Bx, a,m{l — Appcnd(a:, a) A a; hasLcngth m An = S{m)^ 

3x (a; hasLcngth i A I = Append (x, a)) 

3x, b [{x)i = a A I = Appcnd(a;, b)) 

6 = Nil A Z = a 

3c, X, m (Cat(a, c, m) A 

b = Appcnd(c, x) A [l = Appcnd(TO, x)) . 



Here = a, though it looks like an equation, is really a defined ternary relation, 
whose meaning is that a is the i^^ component of the list where we start counting 
with 0, and where the length of I must be at least i + 1 so that there is an i'^ 
term. And "Cat" alludes to "concatenation". If a, 6, ^ are lists and Cat(a, 6, ^) 
holds, then I is the concatenation a * 6 of a and b. 

We note the following consequence of Lemma 2, allowing universal quantifi- 
cation over the elements of a list. 

Corollary 6 For any EFPL formula ip{x), there is an EFPL formula ip{y) that 
holds, when the value of y is a list, if and only if ip holds of all elements of that 
list. That is, ipijj) is the result of universally quantifying (p{x) over all elements 
X of the list y. 

Proof. Use Lemma 2 to express 

3n [y hasLcngth n A (Vi < n) 3z {{y)i = z A </j(z))). □ 

It will be convenient to write (Va; G y) f{x) for the formula ip given by this 
corollary. 

Finally, X must contain the syntactic entities relevant to EFPL, such as 
terms, logic rules, logic programs, and formulas. The precise nature of these en- 
tities depends on arbitrary choices of how to represent syntax. We require merely 
that some representation be present and that T be able to describe fundamental 
syntactic relationships. 

First, T should have a binary function symbol Apply, used to form a com- 
pound term f(ti, . . . , tn) from an rt-ary function symbol / and a list (ii, . . . , tn) 
of n terms, and also used similarly to form atomic formulas P(ti, . . . ,t„). De- 
pending on how syntax is represented. Apply could, for example, be simply a 
pairing function, or it could be the operation of prepending an element to a list, 
or it could produce a tree from a root and its immediate subtrees, or it could be 
an arithmetical operation on Godel numbers. 

There should also be a unary function symbol Neg and binary function sym- 
bols Conj, Disj, Quant, and IndAsrt for the operations of negating a formula. 



forming conjunctions, forming disjunctions, forming existential quantifications, 
and forming induction assertions LET 77 THEN ip. The arguments of these op- 
erations are intended to be formulas, except that the first argument of Quant is 
the variable being quantified and the first argument of IndAsrt is the program 
that goes between LET and THEN. 

There should also be a binary function symbol Rule for the operation building 
a logic rule from its head and its body. We shall take logic programs to be 
(certain) lists of rules, so we do not need additional capabilities in T to handle 
these. (We could have used sets of rules instead, but then T would need additional 
capabilities.) Finally, there is a ternary relation RenameAway such that, if 7T 
is a program and is a, formula and RenameAway((y9, 7T, ip') holds, then ip' is a 
formula obtained from p> by renaming the bound predicates of ip away from the 
head predicates of 7T, so that the formula p' is equivalent to (p, and no head 
predicate of 7J is bound in if' . 

This completes our requirements on T and X. They can be summarized 
thus: EFPL syntax and basic combinatorial ingredients for EFPL semantics (like 
assignments) are available in X and expressible in EFPL in vocabulary T . 

5 Semantics of terms 

Terms arc built, as in FOL, by starting with variables and iteratively applying 
function symbols. The definition is formalized as follows. 

Term(i);^ Vbl(t) 

Term(i); ^ 3l{t = Apply(/, I) A Ust{l) A I hasLcngth h A (Vx £ l)TcTm{x)). 

Here the second line is to be repeated for each function symbol / of T, n is the 
arity of /, and h is the numeral for n, namely SS . . . S{0) with n occurrences of S. 
Recall that the universal quantification Va; S I was introduced after Corollary 6 
as an abbreviation of an EFPL formula. Recall also that T is finite, so there is 
no difficulty writing the appropriate line for each /. 

Semantically, a term gets a value (in the given structure X) once an assign- 
ment provides values for all the variables in t. So the values of terms are given 
by a binary function, whose arguments are a term and an assignment. To define 
it recursively, we regard this binary function as a ternary relation, and we define 
it as follows. 

Yal{t, s, a); ^ Vbl(t) A Assgt(s) A s{t) = a 

Val(t, s,a);^ 3Z,wo, . . . ,u„_i,6o, • • - ^K-i 

(t — Apply(/, /) A List(/) A I hasLength h A Assgt(s) 
A =u^ A Yal{ui,s,bi)) A a = /(6i, . . . , 6„)) . 

The explanatory comments after the definition of Term apply here as well. 



Remark 7 In principle, we could do without the definition of Term. The defi- 
nition of Val assigns values only to terms in any case. But it would do no harm 
if Val were defined in some extraneous cases, as long as it worked correctly for 
terms. 

6 Semantics of formulas 

As indicated earlier, the semantics of a formula involves not only the structure 
X and an assignment s but also a collection U of logic rules to determine the 
meaning of any extra predicates used in the formula but not bound by LET- 
THEN constructions in the formula. Ultimately, when we deal with T-formulas, 
there will be no such extra predicates, so 77 will be irrelevant, but in the recursive 
construction of an T- formula (and in the recursive definition of its satisfaction) , 
subformulas can occur that do use extra predicates. So we shall define Sat as a 
ternary predicate, where the intended meaning of Sat(iy9, 7T, s) is that the formula 
is true, in our given structure X, when the extra predicates are interpreted by 
the least fixed point of 77 and the free variables are assigned values by s. 

The definition of Sat will have numerous clauses, according to the last con- 
structor used in building ip, so wc shall make much use of the ";<— " convention. 
This way, we can present the clauses one (or a few) at a time and insert comments 
and even other definitions between them. 

Wc begin with the case of atomic formulas whose predicates are from T . The 
definition is quite analogous to the earlier definition of the values of terms. 

Sat(i^, 77, s);^ 3?,mo, • ■ . , 6o, • ■ ■ ,bn-i 

((ys = Apply(/', /) A List(/) A / hasLength n A Assgt(s) ^-^-^ 

A A Val(u„s,6,)) A P(&i, . . . , 6„)) . 

z<n 

This is to be repeated for all of the (finitely many) predicates P of T with n 
being the arity of P. As before, n is the numeral for n. 

The case of negated atomic formulas is almost the same; of course it is to be 
repeated only for ncgatablc P. 

Sat(iy9, n,s);'^ 31, mq, • ■ • , u„-i, &o, • ■ • , &n-i 

(v? = Neg(Apply(/', ;)) A List(/) A / hasLength n A Assgt(s) ^^-j 
A /\iil),^u, A Val(u,,s,6,)) A -P(6i, . . . , 6„)) . 

Rather than continuing with the remaining atomic formulas, those that use 
extra predicates, let us first dispose of the remaining "easy" clauses, those not 
involving 77. 

Sat((y9,7T,s);^ 3q!,/3((p = Conj(a,/?) A Sat(Q:,77,s) A Sat(/3, 77, s)) 

Sat(v3, 77, s); 3a, /3 {ip = Disj(a, /?) A (Sat(a, TT, s) V Sat(/3, n, s)) (3) 

Sat((/3, 77, s); <— 3a, v,a[(p = Quant(w, a) A Sat(a, 77, Modify(s, v, a))) 



This completes the easier part of the definition of Sat, the part concerning just 
EL. To complete the definition for EFPL, we must deal carefully with programs 
in both of their roles — as the second argument of Sat and as a constituent of 
induction assertions. 

This will require some preliminaries. First, we need the notion of a list with 
no repetitions. 

1-1-List(/) := 3n hasLcngth n A 

(Vi, j < n)3x,yi{l), = x A = y A {i = j V ^{x = y)))). 

We also need a construction that amounts to applying a unary function to each 
element of a list, producing a new list. The situation is complicated by the fact 
that our unary functions are often given as binary relations. We therefore adopt 
the following notation. If we have defined a binary relation R, then we write i?"*" 
for the relation defined as follows. 

R^{l,m) := 3n {I hasLength n A m hasLength nA 

(Vi < n) 3u, V = u A {m)i = w A R{u, v))) . 

For example, let us define HS (abbreviating "head symbol" ) by 

HS{r,p) ■= 3y,z{r = Rule{Apply{p,y), z)). 

Then when 77 is a list of rules, HS~^{II,m) means that m is the list of their 
head symbols. One of the requirements for a program is that this list m be one- 
to-one, so there will be a clause 3m {HS~^{n, m) A l-l-List(m)) in the definition 
of program. 

We shall also use the plus-notation with a parameter. Specifically, we think 
of Val(u, s, h) as the graph of a function u b with s fixed, so the plus-notation 
makes Val^(it, s, b) the relation between a list of terms and their values, all for 
the same assignment s. We refrain from writing out the definition, since it's just 
like the definition of i?+ above, with the extra argument s inserted into both R 
and R+. 

We need an improved version of the function Modify, to modify an assignment 
by mapping all the variables in a list I to the corresponding values in another 
list q (of the same length). 

Change(s, l,q,r); ^ I = Nil A q = Nil A s = r 

Change(s, I, q,r);^ 31' , q' , r' , v,a [l ~ Append(Z', v) A q = Appcnd(g', a) 
A Change(s,/',g',r') A r = Modify(r', a)) . 

With these preliminaries, we can write down the definition of satisfaction for 
atomic formulas that begin with one of the extra predicates. The idea is to find, 
in n, the rule having that symbol as its head symbol, and to use the body of 
that rule as the criterion of truth for our atomic formula. It will be useful later 



to make sure that the 77 in the second argument place of Sat has no repeated 
head symbols, so we include that in the definition. 

Sat((p, 77, s); 3p, t, k, i, m, I, r, q, 5 

{ip = Apply(p, t) /\ t hasLcngth k A Arity(p, k) A 

(Va; e t) Term(x) A HS+(77,to) A 1-1-List(7n) A 

(77), = Rule(Apply(p,0,<^) A 1-1-List(0 A '^'^^ 

I hasLcngth A (Vx £ l)\h\{x) A Val+(i, s,g) A 

Change(s, Z, g, r) A Sat((5, 77, r)) . 

In prose, the essential part of this says that Lp has the form p{t) for an extra 
predicate of arity k, with t being a fc-tuple of terms; that 77 contains a rule 
p{l) <— 5 with head p, I being a fc-tuple of distinct variables; and that 5 is satisfied 
by the assignment r obtained from s by replacing each of the variables in the 
list I by the value of the corresponding element of i. This replacement amounts, 
intuitively, to taking the definition of as 5{l) and applying it to p{t), the 
terms t replacing the variables /. Instead of doing a syntactic substitution of t 
for I in (5, we have made the corresponding semantic change, assigning to the 
variables in I the values of the terms in t. 

It may seem strange that this clause in the definition of Sat says nothing 
about iterating the operator defined by 5. After all, p should be interpreted as 
the least fixed point of that operator. But the desired iteration is automatically 
accomplished by the iteration involved in the definition of Sat. That is, if p 
occurs in (5, then the true instances of p can contribute to the true instances of 
5 and can thereby contribute to additional true instances of p. 

We must still provide the clause for induction assertions in our definition of 
Sat. Fortunately, this is relatively easy, since iteration is already implicitly done 
in the preceding clause. 

Sat((/3, 77, s) ;^ 3lp' ,S,a,0 

(RenameAway(<p, 77, (ys') A lys' = IndAsrt(Z', a) (5) 

A Cai{n,S,0) A Sat(a, 0, s)) . 

Here Lp' is equivalent to Lp and so Sat(iy9, 77, s) should be equivalent to 
Sat(.^',77, s). Further, ip' = LET S THEN a, and no head predicate of 77 is 
bound in (p' . It follows that the head predicates of 77 are disjoint from the head 
predicates of S, so that the concatenation 6* of 77 and S \s& legitimate program. 
Accordingly Sat((/3', 77, s) should be equivalent to Sat(Q;, 6?, s). 

That concludes the definition of Sat((y9, 77, s). It is easy to see that it works 
as intended. In the case when is a sentence and when both 77 and s are empty, 
Sat((y9, 77, s) holds in the structure X if and only ip does. 
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